0 votes

Our cyber security team has asked us to start researching a way to turn off NTLM communication. We noticed that adaxes is using NTLM. Is there a way to force kerberos authentication only for the service?

by (2.3k points)

1 Answer

0 votes
by (288k points)
selected by
Best answer

Hello Mark,

As we understand, you mean NTLM being used for communication between Adaxes service and Web interface. If that is correct, you can force using Kerberos perform the below steps on each computer where Adaxes Web interface is installed:

  1. Navigate to the folder where Adaxes Web interface is installed, which is C:\Program Files\Softerra\Adaxes 3\Web Interface by default.

  2. Open the App folder.

  3. Open the Softerra.Adaxes.Adsi.dll.config file with a text editor.

  4. Locate the application/channels/channel XML element.

  5. Set the servicePrincipalName parameter to Adaxes/<service_FQDN>, where <service_FQDN> is the fully qualified domain name of any computer where your Adaxes service is installed.

     <application>
         <channels>
             <channel ref="tcp" priority="2" secure="true" servicePrincipalName="Adaxes/myadaxesservice.company.com">
                 ...
             </channel>
         </channels>
     </application>
    • If you have multiple instances of Adaxes Web interface, specify the same computer name for each Web interface.
    • If you have multiple instances of Adaxes service sharing common configuration in the same AD site, they should all have the same Adaxes service account.
  6. Save the file.

Also, you need to register the service principal name for your Adaxes service:

  1. On any computer where Adaxes service is installed, launch the command prompt.

  2. Type the following command and press Enter:

     setspn -U -A Adaxes/<service_FQDN> <DOMAIN\username>

    In the command:

    • <service_FQDN> - The fully qualified domain name of the computer where Adaxes service is installed.
    • <DOMAIN\username> - The username of the Adaxes service account.

If you have multiple instances of Adaxes service sharing common configuration:

  • All instances of Adaxes service must use the same service account.
  • You need to register the service principal name only for one instance of Adaxes service in the configuration set.
0

Is it sufficient to just edit the Softerra.Adaxes.Adsi.dll.config file or is it necessary to complete all the steps outlined in the how-to article Enable trust for delegation for web servers for this to work?

0

Hello,

The steps outlined in the article are only required when you enable auto-logon for Adaxes Web interface that is installed on a different computer then Adaxes service. To force using Kerberos, you just need to update the file as we referenced above.

Related questions

0 votes
1 answer

Within Property Patterns, I need a way to fill in 'User Logon Name' with the contents of the mail field only up until the @ sign. The requirement is due to the need ... , have it populate the User Logon Name field with 'accountsreceivable'. How can I do this?

asked Sep 16, 2016 by ajrechk (480 points)
0 votes
1 answer

We want to automate the provisioning of skype users with adaxes. Therefore we installed the Skype module onto the adaxer server. Then we tried to utilise some commands in a ... . How can the Skype module be integrated for Adaxes? Thank you for your help.

asked Apr 23, 2020 by PGstoehl (100 points)
0 votes
1 answer

We'll be updating over 14K accounts with data (adding data to a virtual attribute) using a scheduled task but I don't want the updates to trigger Business Rules and flood the Adaxes log with entries. Is there an easy way to prevent this?

asked Apr 12, 2022 by sandramnc (870 points)
0 votes
0 answers

I am trying to find a way to create Groups based off an OU and a list of options (check boxes) within the portal For example: Select the Target OU to add groups ... 3 - Remote Administrators Option 3 - Remote Developers Option 4 - Readers Option 4 - Writers

asked Sep 11, 2020 by dknapp (100 points)
0 votes
1 answer

I added the Password last set field to the Admin view but when I click on edit it allows the admin user to change the value. Adaxes correclty handel Bad Password time and Bad password ... last set, so I guest there is a way but I can not find it. Thanks you

asked Dec 19, 2019 by tomlaf (60 points)
3,537 questions
3,227 answers
8,219 comments
547,727 users